Related
Read before continue:
http://forums.yuplaygod.com/threads/15124/
http://forum.xda-developers.com/showpost.php?p=63197935
http://forum.xda-developers.com/android/software-hacking/wip-selinux-capable-superuser-t3216394
Requirements:
Completely stock, untouched device (OnePlus One).
Unlocked bootloader.
Rooted boot images:
cm-12.1-YOG7DAS2K1-bacon-boot-debuggable-rooted.img
Usage:
Download the rooted boot image that matches with your installed build.
Flash using fastboot:
Code:
fastboot flash boot XXX.img
Install the SuperUser manager app: https://play.google.com/store/apps/details?id=me.phh.superuser
Profit!
To take incremental OTA:
Download the stock boot image that matches with your installed build. Either extract from signed fastboot flashable zips or get from this thread.
Flash using fastboot:
Code:
fastboot flash boot XXX.img
You should be able to take & install the OTA, if /system isn't tampered previously.
Note:
The rooted boot images are based on official boot-debuggable images & super-bootimg by @phhusson.
The whole thing is in alpha stage & still WIP, so expect bugs.
Not all apps are compatible with systemless root approach, so root access mayn't be visible to them.
Please provide detailed feedback to me, @phhusson & the concerned app developer.
Reserved for future v1.
Reserved for future v2.
I read the second and third links, but had to sign up to get the first (not with it at this time) and I'm kinda confused. What exactly is wrong with the "old way" of rooting? Is it just for things like Android pay to work or is there other benefits?
Sent from my LG-D800 using Tapatalk
@FlashHappy78
In a nutshell, traditional rooting method modifies the /system partition. As a consequence, subsequent OTAs will fail. In case of Cyanogen OS devices, it may be easier to grab the full signed zip later & update manually, but for others they need to re-flash the stock system.img to take the OTA.
In this new approach, only the boot image is modified but /system is untouched. Thus any event/application that verifies the integrity of /system partition (like OTA, Android Pay etc.) is ready to be executed on top of the rooted device without any hitch.
If OTA contains an updated boot image, then user need to re-flash the stock boot image first which is considerably easy to re-flash than the whole system.img.
I've always been under the assumption that oem OTA updates usually break root anyways, plus patch whatever exploits were used to gain root (especially from OEM's like Samsung and LG), so because of that, I never take OTA updates unless they come from custom ROM devs.
Anyways, thanks for the clarification. I don't use android pay and I use only custom ROMs, so this probably isn't for me then. Thanks again mate.
Sent from my LG-D800 using Tapatalk
Do you have any systemless image for CM13? I tried to find a way to change the : cm-13.0-ZNH0EAS2JK-bacon-boot-debuggable.img for myself but no luck, I will have to come back to it next week.
Do you have any links to suggest?
poulopoulosa said:
Do you have any systemless image for CM13? I tried to find a way to change the : cm-13.0-ZNH0EAS2JK-bacon-boot-debuggable.img for myself but no luck, I will have to come back to it next week.
Do you have any links to suggest?
Click to expand...
Click to collapse
Flash supersu at least the stable 2.64
poulopoulosa said:
Do you have any systemless image for CM13? I tried to find a way to change the : cm-13.0-ZNH0EAS2JK-bacon-boot-debuggable.img for myself but no luck, I will have to come back to it next week.
Do you have any links to suggest?
Click to expand...
Click to collapse
As suggested by @hellcat50, I'll not provide any more update on this as newer SuperSU can patch the boot image on the fly.
Hi guys, here is a boot logo switcher for the Galaxy A3 2016. It works on all rooted SM-A310Fs on Marshmallow.
DOWNLOAD
bit.ly.2pnYH3a (replace the dot after y with a slash)
METHOD
I strongly recommend taking a nandroid backup and a backup of your existing boot.img before you attempt this (you can do this either through TWRP recovery or by pulling it from adb)
1. Extract the zip to a separate folder. You should have two files, META-INF and tar.
2. Copy your logo.jpg to this folder. It should be 1280x720.
3. Select all three files (Hold down ctrl and click on the files) and select send to - zip.
4. Copy this zip to the root of your SD card and flash in recovery (I recommend ashyx TWRP). When you reboot you should see a shiny new boot logo!
IMPORTANT
- The logo MUST be .jpg, and it must match the screen resolution of the device. In my case this is 1280x720.
- If something goes wrong, flash this .zip to restore the original boot logo. This is the white stock bootlogo. You can find the .zip at bit.ly.2p5koBX (again, remove the dot after ly and replace with a /)
- If you have no bootlogo, try flashing the zip above. If the problem persists, try to restore the backup you made earlier.
I am not responsible for any damage that may occur to your device by doing this.
This may work on other Samsung devices, however I have not tested it. It works on my SM-A310F rooted on Marshmallow. Let me know if it works on other devices. This method may work on other samsung devices, however it is pointless to try it on other devices, as it is much easier on those. Samsung, as you may know use a custom format for boot logos and animations, hence requiring custom scripts to change them.
A3 & A5 2016 already got threads for boot logo change.
[mod][a310f][bootlogo]
[MOD] Flashable Custom Bootup charging & Splash screens for A5 (A510F)
VARNING
This thread also lacks very important information about image properties, what can go wrong, and how to restore the original logo.
The partition you modify is part of the bootloader, so please don't just try on any device unless you know what you're doing.
Correct resolution and dpi for your device logo.jpg, correct partition path etc.
Otherwise it's a good chance it will brick.
Bootloop of Death (BLOD) Workaround AnyKernel3 zip for Nexus 6P
osm0sis said:
Guys.. bad news.. my Nexus 5X just got hit with the BLOD.
Good news for everyone is I spent a bit of time tonight to first patch TWRP 3.2.1-0-FBE (File-Based Encryption support) image to be 4core, then made an AnyKernel2 zip which will patch the existing boot and recovery partitions on-device to add all the 4core fixes from @XCnathan32.
Should work over any ROM, any custom kernel, recovery, etc., can be added in queue after ROM, root zip + custom kernel to patch it from TWRP or FlashFire (so good for OTAs), and simplifies the initial process greatly since you can now fastboot boot any 4core recovery.img and then adb sideload my AK3 zip to fix the likely newer recovery you already had on your device.
Click to expand...
Click to collapse
Original thread posts: Nexus 5X, Nexus 6P
Now updated to an AnyKernel3 zip to support the SAR (system-as-root) and 2SI (2 stage init) ROMs that have popped up for Pie and Android 10+!
General Information
If you've found this thread then I'm sure you probably already know what the Bootloop of Death is - separation of the performance (perf) CPU cores - and that the only way to recover from it is to unlock your bootloader and patch to disable the faulty cluster. If you have not enabled unlocking your bootloader yet, the known methods to get it to boot long enough so you can go to System, then Developer Options and toggle "OEM unlocking" are:
super cooling the device in a freezer in a ziplock bag to keep out moisture,
super heating around the camera, and
letting the battery run all the way down before trying to boot.
For further details on these methods check out the original threads by @XCnathan32, linked in the "Thanks" section.
Some important notes before going any further:
Freezing at the Google logo likely points to it being perf cluster separation, but this could also be caused by other components separating.
Freezing at the boot animation suggests ROM/ROM data problem or could also potentially be a BLOD with other components now beginning to separate and that's what people have reported when the 4core mods suddenly stop working with no configuration changes - if you've tried the default boot.img for your ROM, patched with the BLOD AK3 and it still doesn't work, sorry but your device is a brick.
If no 4core recovery boots for you then you definitely have more components than just the performance cores separated, sorry but your device is a brick.
I haven't seen anyone say their devices only worked using a "1core" modification who had tried a proper 4core patched setup; 4core makes sense because it's the separate perf cores cluster becoming unsoldered, but if the 4 low power cores cluster also starts to come unsoldered logically not even a single core would work.. I think that's where the "Green Screen Of Death" comes into it.
DemiGod = Green Screen Of Death; unfortunately this (more components separating given more time - maybe the flash memory chip?) is why many call the 4core workaround only temporary.. there's not much that can be done after that from what I've read.
EX Kernel does not support FBE on these devices because the EX zip patches the fstab forcefdeorfbe flag to encryptable.
Android 10 does not appear to support FBE on these devices but the 4core FBE TWRP build can be used to BLOD patch the latest TWRP (see instructions in next post).
On Oreo, I was personally on stock ROM still, FBE enabled, rooted with SuperSU v2.82 SR5 + suhide and the latest Franco Kernel on my 5X. Then I bumped up the min freq on the low perf cores and it's working great - totally fine for general use, just anything creating a bit of heat like games maxing the low power cores for awhile, or charging, will make it pretty painfully laggy and risk further solder deterioration.
Even though SuperSU development is ostensibly dead, I still strongly recommend it on BLOD-affected devices using stock ROM for reasons I'll explain below.
My development work on my many projects comes out of my free time, so if you enjoy this project or anything else I've done on xda, please consider sponsoring my ongoing work using my GitHub Sponsors profile. For a one-time donation you can hit the donate link from my profile. Thank you for your support!
Step-By-Step Installation Instructions
Any quoted commands should be entered without quotes
1) Download and unzip platform-tools for your PC from https://developer.android.com/studio/releases/platform-tools.html
2) Navigate to https://androidfilehost.com/?w=files&flid=312881 (also mirrored below) and download N5X-6P_BLOD_Workaround_Injector_Addon-AK3-signed.zip to your platform-tools folder as well as
2a) twrp-3.2.1-0-fbe-4core-bullhead.img (Nexus 5X), or2b) twrp-3.2.1-0-fbe-4core-angler.img (Nexus 6P)3) Hold Shift + right-click on your platform-tools folder and
3a) Open a command window here (Windows <10), or3b) Open a PowerShell window here, then enter "cmd" at the Windows PowerShell prompt (Windows 10+)4) Reboot your phone to bootloader and connect it to your PC with a USB cable
5) Enter "fastboot flash recovery twrp-3.2.1-0-fbe-4core-angler.img" into the cmd prompt
6) Reboot your phone to recovery and tap Advanced, then ADB Sideload
7) Enter "adb sideload N5X-6P_BLOD_Workaround_Injector_Addon-AK3-signed.zip" into the cmd prompt
8) Reboot and cross your fingers that it works
For information how to seamlessly update to stock and custom ROM OTAs, see the following post
Source Code: https://github.com/osm0sis/N5X-6P-BLOD-Workaround-Injector
Status: No Longer Updated
Thanks:
- @XCnathan32 for researching and developing the 4core workarounds for both the Nexus 5X and Nexus 6P
- chetgurevitch (GitHub) for the original FBE supporting TWRP builds
- @Aukaminator for the original step-by-step write-up
Update Flashing Instructions
Keep N5X-6P_BLOD_Workaround_Injector_Addon-AK3-signed.zip on your device sdcard, henceforth referred to as BLOD AK3 zip
The correct manual order for a clean flash is: ROM -> root -> custom kernel -> BLOD AK3
Always flash the BLOD AK3 zip last!
Reflashing the BLOD AK3 zip will likely be required after anything that could modify the boot.img or recovery.img, including (but not limited to): ROM updates, custom kernel updates, custom recovery updates.
ROMs:
On custom ROMs with built-in Flash After Update (i.e. OmniROM-based), place your root (if using SuperSU), custom kernel and BLOD AK3 zip in /sdcard/OpenDelta/FlashAfterUpdate/ ensuring the BLOD AK3 is last in the directory listing so that they will be flashed after each update.
On custom ROMs that do not have built-in Flash After Update (i.e. LineageOS-based), you may add my FlashAfterUpdate addon.d script to /system/addon.d/ and then place your root (if using SuperSU), custom kernel and BLOD AK3 zip in /sdcard/FlashAfterUpdate/ ensuring the BLOD AK3 is last for the same effect: flashed after every OTA.
On stock ROM rooted with SuperSU (SuperSU v2.82-SR5 recommended) instead of tapping "Reboot & Install" once the OTA is downloaded you should use @Chainfire's excellent FlashFire app to queue the OTA from /data/ota_package/update_s.zip then queue the SuperSU zip, custom kernel and BLOD AK3 zip, ensuring the BLOD AK3 is last. This is how I have mine set up, since this is by far the most seamless. Be sure to disable EverRoot since SuperSU v2.82-SR5 is newer than the SuperSU included in FlashFire.
On stock ROM rooted with Magisk you must uninstall Magisk from within Magisk Manager to restore your stock boot.img, reboot the ROM to restore your stock recovery partition, tap "Reboot & Install" once the OTA is downloaded, then go through the steps above to flash the 4core TWRP and BLOD AK3 zip again. I definitely recommend SuperSU on this device to avoid the hassle of unrooting and/or messing with factory images.
Kernels:
Custom kernels can be flashed from an app like Franco Kernel Manager & Updater, which can be set to flash without reboot for Franco Kernel updates, or "Flash only" can be chosen in the manual flasher. The FK app supports all types of AnyKernel3 zip so the BLOD AK3 zip may then be flashed after the custom kernel zip to repatch the new kernel's ramdisk.
For other kernel managers that don't support AK3 zips, simply reboot to recovery and flash the BLOD AK3 zip from there to repatch before attempting to boot the ROM again. Also see above under "stock ROM rooted with SuperSU", since FlashFire also works perfectly for this use-case, queuing the custom kernel zip and then the BLOD AK3 zip, with FlashFire's EverRoot option disabled since the device is already rooted.
Recoveries:
Download the updated custom recovery .img and, without flashing it, reboot to recovery, use TWRP's flash image feature to flash the new recovery.img, then without rebooting immediately flash the BLOD AK3 zip to patch it. You can then dump/backup the recovery partition if you want it as a recovery.img. Custom recovery updates can also be done from FlashFire, queuing the BLOD AK3 zip afterward, but the "Preserve recovery" feature must be disabled.
If you prefer to stay on stock recovery for some reason, you can still use TWRP to do the above without flashing TWRP to the device by using "fastboot boot twrp-3.2.1-0-fbe-4core-angler.img".
My development work on my many projects comes out of my free time, so if you enjoy this project or anything else I've done on xda, please consider sponsoring my ongoing work using my GitHub Sponsors profile. For a one-time donation you can hit the donate link from my profile. Thank you for your support!
Changelog
2018-01-15 - Original post in other BLOD threads.
2018-07-21 - Update AK2 Core+Backend files to latest, add searching of all init.*.rc files for problematic cpuset commands which were popularized by Franco Kernel and are now used by multiple custom kernels. (6758 downloads)
2019-10-30 - Update to AnyKernel3, add support for SAR and 2SI Treblized ROMs. (1720 downloads)
2020-01-16 - Update AK3 Core+Backend files to latest to fix AVBv1 signing in recovery on Android 10, update boot_signer-dexed.jar. (570 downloads)
2020-02-17 - Update AK3 Core+Backend files to latest to fix SAR mount support in fragmented TWRP and Lineage 16+17 Recovery. (1412 downloads)
2020-05-25 - Update AK3 Core+Backend files to latest to improve SAR mount support in Lineage 17 Recovery and AVBv1 signing. (1789 downloads)
2021-07-21 - Update AK3 Core+Backend files to latest to support Lineage 18.1 recovery and Android 11 ROMs.
Good luck and enjoy!
Glad to see this exclusive thread... just came here to report that I've been using your fix since Jan this year ( https://forum.xda-developers.com/ne...-6p-bootloop-death-blod-t3640279/post75220708 ) and yeah my phone's still alive and running fine. Kudos to your work... Great job you did there... saving hundreds of bucks... Really appreciated!
Thanks again.
Hi osmosis,
I have done everything you said and I got stuck in step 7, when I enter "adb sideload N5X-6P_BLOD_Workaround_Injector_Addon-AK2-signed.zip", the return message is:
adb: sideload connection failed: closed
adb: trying pre-Kitkat sideload method...
adb: pre-Kitkat sideload connection failed: closed
I tried swiping where it says "Swipe to Start Sideload" and then doing step 7, but when I swipe my computer stops recognizing my device.
Thank you
SH15 said:
Hi osmosis,
I have done everything you said and I got stuck in step 7, when I enter "adb sideload N5X-6P_BLOD_Workaround_Injector_Addon-AK2-signed.zip", the return message is:
adb: sideload connection failed: closed
adb: trying pre-Kitkat sideload method...
adb: pre-Kitkat sideload connection failed: closed
I tried swiping where it says "Swipe to Start Sideload" and then doing step 7, but when I swipe my computer stops recognizing my device.
Thank you
Click to expand...
Click to collapse
You need to let your computer install drivers for adb sideload. If your computer is having trouble with that for some reason and the recovery otherwise works then just adb push the zip to /sdcard and flash it from on the device instead of sideloading. :good:
osm0sis said:
You need to let your computer install drivers for adb sideload. If your computer is having trouble with that for some reason and the recovery otherwise works then just adb push the zip to /sdcard and flash it from on the device instead of sideloading. :good:
Click to expand...
Click to collapse
Thank you for answering. I had to adb push the file to /sdcard and then I flashed it using TWRP, however even after installing the file the phone is still stuck on the Google logo screen when booting up. I don't know what to do.
Thank you
SH15 said:
Thank you for answering. I had to adb push the file to /sdcard and then I flashed it using TWRP, however even after installing the file the phone is still stuck on the Google logo screen when booting up. I don't know what to do.
Thank you
Click to expand...
Click to collapse
That's weird. The fact that the recovery worked suggests the 4core fix works for you. Maybe flash the lastest factory image then the BLOD AK2 zip.
Can this be flashed on top of the Oreo img from the previous thread? Is this one for Oreo?
I've applied the previous Oreo one and my phone's past the Google logo loop and is now in the loading animation for Lineage OS.
FlameSting said:
Can this be flashed on top of the Oreo img from the previous thread? Is this one for Oreo?
I've applied the previous Oreo one and my phone's past the Google logo loop and is now in the loading animation for Lineage OS.
Click to expand...
Click to collapse
Please read the OP. It works over any ROM, any custom kernel, any recovery.
osm0sis said:
That's weird. The fact that the recovery worked suggests the 4core fix works for you. Maybe flash the lastest factory image then the BLOD AK2 zip.
Click to expand...
Click to collapse
Thank you very much! I flashed the newest factory image for Oreo and then re-flashed the BLOD AK2 zip and it worked. Thank you for your help! :good:
Idk if I'm in the right place.
I recently replaced my battery (2nd time this week, first one was bad) and everything was working fine. Then my phone started randomly rebooting. Googled it and apparently it's one of the first signs of BLOD. Followed this and the phone stopped shutting down randomly. Now the phone only works if plugged into a power source. Idk if I did something wrong or the battery is trash (even though it was working fine all day)
I'd appreciate an guidance [emoji24]
Sent from my [device_name] using XDA-Developers Legacy app
This saved my day! Thanks everyone! Got my 6P booted up again... and it's not even rooted
I want just only to thanks @osm0sis and it's genial solution!
Thanlks i recover my phone and saved a lot of money.
I understand it could be a temporary solution but thanks!!!
gabriele
After I flashed twrp and try to go to Recovery there is a message "Your device software cannot be checked for corruption. Please lock the bootloader." And after that it goes back to bootlloop. Any idea what to do next? Thanks
godd said:
After I flashed twrp and try to go to Recovery there is a message "Your device software cannot be checked for corruption. Please lock the bootloader." And after that it goes back to bootlloop. Any idea what to do next? Thanks
Click to expand...
Click to collapse
That just means you unlocked your device. If no 4core recovery works then unfortunately your device can't be saved.
I had my phone hang on the google logo a couple times, but rebooting it fixed it. Is this an early sign of this problem? Just replaced battery and so far it seems fine.
osm0sis said:
That just means you unlocked your device. If no 4core recovery works then unfortunately your device can't be saved.
Click to expand...
Click to collapse
I am in this same boat... RIP N6P, this is my 2nd N6P Google replaced the first one due to the BLOD and now the replacement is dead.
Thanks for all the efforts and help.
osm0sis said:
That just means you unlocked your device. If no 4core recovery works then unfortunately your device can't be saved.
Click to expand...
Click to collapse
It seems the basketbuild site is down. Any chance you could throw the modded twrp for oreo and the 4core fix up here?
osm0sis said:
That just means you unlocked your device. If no 4core recovery works then unfortunately your device can't be saved.
Click to expand...
Click to collapse
Same as the guy above. Sites down need mirrors or something?
jbjcurly said:
It seems the basketbuild site is down. Any chance you could throw the modded twrp for oreo and the 4core fix up here?
Click to expand...
Click to collapse
CavyS said:
Same as the guy above. Sites down need mirrors or something?
Click to expand...
Click to collapse
Mirrored in the OP. Thanks!
Edit: And BasketBuild is also back! :good:
rooted kernel hiding bootloader unlock
with working sony stock fw fota updates
for Sony Xperia XZ1
Firmware Over the Air system updates have been disabled/not working with sony xperia phones with unlocked bootloader.
Also many sony drm functions are disabled if fw detects unlocked bootloader even if device master key was recovered.
I've implemented a kernel patch for xperia XZ1 Compact / XZ1 / XZ Premium phones that properly masks bootloader unlock status so it appears as still locked for sony stock firmwares.
This allows FOTA updates to be installed if running completely unmodified stock firmware. This is possible if this kernel is just booted from usb via fastboot instead of flashing it.
The kernel is pre-rooted, so you can have root as usual with magisk when running this kernel (you can use magisk system less patching to make changes to system/vendor partitions without actually modifying them).
For oreo fw the boot process is patched to hide magisk from sony ric daemon that stops the boot in case it thinks the bootloader is still locked. This special patch allows to pass safetynet including cts while having properly working magisk.
This kernel may be used (flashed) just to properly enable sony drm features, like video image enhancements, if device master key was recovered via locked state TA restore.
The bellow described way to install FOTA system update works with both - phone with TA restored and phone with drm keys lost. Both variants have been tested with xz1c.
How to use this kernel while planning to do FOTA system update eventually
Update: please see here for the latest usage instructions for kernels in flashable zip archive.
Please see screenshots bellow for this kernel in action (with xz1c) doing fota system update from oreo to pie and from pie to next pie version. There is also a video documenting this here. Few longer waiting parts have been cut out to fit the video under 15 minutes of youtube limit for not verified accounts.
if your bootloader is still locked
Use renoroot exploit to backup your TA, unlock your bootloader and restore TA-locked to recover device master key as described in
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented thread.
select one of the prepared kernels and download it
make sure you are running unmodified stock firmware
You need the version corresponding to the selected kernel - reflash the firmware to make sure it is unmodified.
Please note: any mount of /system or /vendor partitions in write mode would result with modifications even if nothing is copied there.
Be aware that some zip packages flashed from twrp may mount the partitions for write access even when that is not needed.
reboot the phone to fastboot mode
Use either "adb reboot bootloader" or
enter fastboot by holding powered off phone's volume up key while connecting it to PC via usb cable and use 'fastboot reboot bootloader' command.
boot the downloaded kernel via fastboot
For example (xz1c):
Code:
fastboot boot boot-G8441-47.1.A.16.20-hideunlock-rooted.img
enjoy your rooted phone which thinks it is still locked
Sony apps will be offered to install/update. System FOTA update may come.
Magisk will provide your root when magisk manager app is installed (offered on the first boot).
if you need to use a custom recovery, like TWRP
Do not flash it. If you do, FOTA update verification will fail.
Instead use 'fastboot boot' the same way as with the kernel above, but instead of the kernel, boot the twrp image without flashing it.
to install a FOTA system update
just start the update as usual
let it run until it finishes the installation
try to catch the restart then and hold volume up that time to enter fastboot
you need to use following command to make next boot working
Code:
fastboot reboot bootloader
use 'fastboot boot' to boot kernel for fw to which fota updating to,
for example (xz1c):
Code:
fastboot boot boot-G8441-47.2.A.4.45-hideunlock-rooted.img
if you miss the restart (or do not have the right kernel version),
it does not matter, the installation will finish even when bootloader unlock is detected with the last reboot to updated system,
so just 'fastboot boot' the corresponding 'hideunlock-rooted' kernel then
Alternative use of this kernel
If you do not like booting from usb via fastboot to startup your phone, you can flash the kernel and boot normally.
But if you like to install FOTA system update then, you would need to flash the stock kernel first in order to make the fw untouched again (assuming no other changes to the fw, like system or vendor partitions, have been done) and boot the patched kernel via 'fastboot boot' as described above.
You can backup stock kernel (and recovery) to avoid need to download full stock fw when you need to restore stock kernel & recovery when you decide to install fota system update - see here and following post for more details please.
If you do not care about FOTA, just do not install it.
And use this kernel just to enable all sony drm features that are available on a locked phone (assuming locked state TA has been restored).
In case you like to make some modifications to system or vendor partitions (as you do not care about fota), you would need to disable verity in the kernel - please see post#3 for noverity variants of oreo kernels and linked post describing howto switch verity off via magisk in all pie kernels.
Downloads
See the post#2 please.
Source code
patched kernel sources to hide bootloader unlock (my-bluhide/* branches)
https://github.com/j4nn/sonyxperiadev-kernel-copyleft
patched magisk sources to hide magisk from sony ric daemon on early boot phase (v19.1-manager-v7.1.2-ric branch)
https://github.com/j4nn/Magisk/tree/v19.1-manager-v7.1.2-ric
The patches are provided under GPL (that means you may include them in your builds, but you need to provide buildable source of released binaries /true for any kernel change btw/).
Credits
Thanks to @tonsofquestions for lot of initial testing of this concept when I did not have a phone with unlocked bootloader and for discovering the need to reboot to fastboot by a command to make the 'fastboot boot' command properly boot the supplied kernel image.
Thanks to @topjohnwu for his excelent magisk tool.
If you find my work useful, consider donating here please:
https://j4nn.github.io/donate/
Thank you.
XDA:DevDB Information
kernel_bluhide_poplar, Kernel for the Sony Xperia XZ1
Contributors
j4nn
Source Code: https://github.com/j4nn/sonyxperiadev-kernel-copyleft
Kernel Special Features: proper hiding of bootloader unlock, sony ric with magisk hack
Version Information
Status: Stable
Stable Release Date: 2019-02-10
Created 2019-02-10
Last Updated 2019-08-07
Downloads
- hideunlock kernel pre-rooted boot images:
Xperia XZ1 (G8341/G8343)
boot-G8341-47.1.A.16.20-hideunlock-magisk-19.1.img
boot-G8341-47.2.A.4.45-hideunlock-rooted.img
boot-G8341-47.2.A.6.30-hideunlock-rooted.img
boot-G8341-47.2.A.8.24-hideunlock-rooted.img
boot-G8341-47.2.A.10.28-hideunlock-rooted.img
boot-G8341-47.2.A.10.45-hideunlock-rooted.img
boot-G8341-47.2.A.10.62-hideunlock-magisk-19.3.img
Xperia XZ1 Dual (G8342)
boot-G8342-47.1.A.16.20-hideunlock-magisk-19.1.img
boot-G8342-47.2.A.4.45-hideunlock-rooted.img
boot-G8342-47.2.A.6.30-hideunlock-rooted.img
boot-G8342-47.2.A.8.24-hideunlock-rooted.img
boot-G8342-47.2.A.10.28-hideunlock-rooted.img
boot-G8342-47.2.A.10.45-hideunlock-rooted.img
boot-G8342-47.2.A.10.62-hideunlock-magisk-19.3.img
- hideunlock kernels flashable to multi fw versions (see here for usage howto):
Xperia XZ1 (G8341/G8343)
kernel-G8341-47.1.A.16.20-hideunlock.zip
kernel-G8341-47.2.A.10.62-hideunlock.zip
kernel-G8341-47.2.A.10.80-hideunlock.zip
kernel-G8341-47.2.A.10.107-hideunlock.zip
kernel-G8341-47.2.A.11.228-hideunlock.zip
Xperia XZ1 Dual (G8342)
kernel-G8342-47.1.A.16.20-hideunlock.zip
kernel-G8342-47.2.A.10.62-hideunlock.zip
kernel-G8342-47.2.A.10.80-hideunlock.zip
kernel-G8342-47.2.A.10.107-hideunlock.zip
kernel-G8142-47.2.A.11.228-hideunlock.zip
Screenshots of XZ1c FOTA system update from oreo 47.1.A.16.20 to pie 47.2.A.4.45
(video available here)
Downloads
This is for alternative use only - please see post#10 for more details.
boot-G8341-47.1.A.16.20-hideunlock-magisk-19.1-noverity.img
boot-G8342-47.1.A.16.20-hideunlock-magisk-19.1-noverity.img
Screenshots of XZ1c FOTA system update from pie 47.2.A.4.45 to pie 47.2.A.6.30 version
(video available here since 08:10 time)
This should be the first paragraph!
j4nn said:
[...] use this kernel just to enable all sony drm features that are available on a locked phone (assuming locked state TA has been restored).
Click to expand...
Click to collapse
Since I do not care about OTA updates, because we can download every firmware via XperiFirm and flash it via newflasher, I will use your modded kernel in the 'alternative' way! :good:
j4nn said:
Alternative use of this kernel
If you do not like booting from usb via fastboot to startup your phone, you can flash the kernel and boot normally.
Click to expand...
Click to collapse
@j4nn - I flashed "boot-G8341-47.2.A.6.30-hideunlock-rooted.img" on my G8341 which has the latest Pie firmware (G8341_47.2.A.6.30_Customized DE_1310-4290_R6C) installed, but the device did not boot into Android after that! :crying: I flashed the latest official Magisk before your kernel. Do I need to use your patched Magisk instead?
Did you forgot to add the patched magisk flashable img file? "hide magisk from sony ric daemon on early boot phase (v18.1-manager-v7.0.0-ric branch)"
j4nn said:
Downloads
Click to expand...
Click to collapse
Maybe the firmware version is not compatible with the one you took the kernel from? The firmware folder includes:
kernel_X-FLASH-ALL-C93B.sin
boot/bootloader_X_BOOT_MSM8998_LA2_0_P_107_X-FLASH-ALL-C93B.sin
...
Click to expand...
Click to collapse
@SGH-i200, I just compared the stock kernel boot image extracted from G8341_Customized DE_1310-4290_47.2.A.6.30_R6C (which I have used to create it) and it seems all good to me:
- os version and patch level match
- device tree blobs are the same
- kernel command line is the same
- extracted kernel config is (except few comments as it is usual) the same, with poplar target (i.e. single sim XZ1)
- ramdisk is the same except changes that are expected (integrated magisk in order to provide root when booted from usb having unmodified stock fw)
Did it result with an infinite hang during boot (which phase of the boot splash animation)?
Or did it reboot during boot (a boot-loop) - which phase?
I am sorry I forgot to mention the kernels for other targets than xz1c have not been tested (I have only xz1c for testing).
But it should be safe to test the above howto as described. Even if the kernel was flashed (instead of just fastboot booted), recovering from this should be as simple flashing stock kernel back.
Anybody else tested this with XZ1?
j4nn said:
Did it result with an infinite hang during boot (which phase of the boot splash animation)?
Or did it reboot during boot (a boot-loop) - which phase?
Click to expand...
Click to collapse
The SONY white splash screen appeared (with only black SONY text) and then it hang forever.
j4nn said:
Even if the kernel was flashed (instead of just fastboot booted), recovering from this should be as simple flashing stock kernel back.
Click to expand...
Click to collapse
I flashed the kernel_X-FLASH-ALL-C93B.sin (and everything else as I did to upgrade to latest Pie) from the stock fw to recover.
After the XZ1 was booting again, I executed the fastboot booting, without problems!
adb reboot bootloader
fastboot boot boot-G8341-47.2.A.6.30-hideunlock-rooted.img
Click to expand...
Click to collapse
@SGH-i200, that sounds good. Now just flash it:
Code:
adb reboot bootloader
fastboot flash boot boot-G8341-47.2.A.6.30-hideunlock-rooted.img
disconnect from usb and power on.
If it booted from usb, I believe it should boot just fine if flashed as above too.
j4nn said:
If it booted from usb, I believe it should boot just fine if flashed as above too.
Click to expand...
Click to collapse
I flashed your patched kernel again and got into a bootloop: Bootloader unlocked warning and white SONY splash screen in an endless loop.
Since my XZ1 was connected to my Windows workstation already, I simply long pressed the volume up button till the notification light went blue, and booted into twrp to restore the stock kernel (rooted by Magisk to remove the dmverity stuff).
@SGH-i200, you are right, it is the verity thing.
I've assumed that verity is ignored when kernel detects unlocked bootloader, because the dm-android-verity kernel component used that is_unlocked() call to:
/* Allow invalid metadata when the device is unlocked */
- that comment is in the dm-android-verity.c source code.
But it looks like that is only a corner case and if verity metadata is valid, verity is active (if not disabled in device tree) even with unlocked bootloader.
Now I am wondering: for OTA updates we need untouched system, so having verity enabled in the kernel is good for this purpose - when you flash something that writes to system or vendor, you may detect it soon enough to be able to tell what it was. The main feature of magisk is that you should be able to "modify" system "systemlessly", i.e. without really writing to system or vendor partitions.
From this point of view it should be all good then.
But I understand that the "alternative" use of this kernel, i.e. not planning to do FOTA at all, just using only the unlock hide feature restoring drm functionality and using root the old way (with real writes to system) may be liked.
For this, just use magisk manager main screen, in "Advanced Settings" unselect the "Preserve AVB 2.0/dm-verity" option and then use the "Magisk INSTALL" button, confirm install of Magisk-v*.zip, select "Patch Boot Image File", browse to sdcard where you put my kernel image and select it.
Magisk will repack the boot image disabling dm-verity in device tree blobs, noting where you can find patched_boot.img.
Flash that and you should be good to go.
This procedure is valid for all my pie kernel builds.
I will repack the oreo 16.20 build as using magisk manager gui would not keep the magisk patch for sony ric daemon.
-- edit --
Updated post#3 with downloads of oreo kernels noverity repacks.
Thanks for the kernel but after flashing the kernel the phone don't go into doze (deep sleep). Any suggestions on this?
j4nn said:
Now I am wondering: for OTA updates we need untouched system, so having verity enabled in the kernel is good for this purpose - when you flash something that writes to system or vendor, you may detect it soon enough to be able to tell what it was. The main feature of magisk is that you should be able to "modify" system "systemlessly", i.e. without really writing to system or vendor partitions. From this point of view it should be all good then.
Click to expand...
Click to collapse
I use AdAway and activated NightLight by copying a apk to /vendor/overlay .
Thanks for creating the noverity Oreo kernel versions! :good:
---------- Post added at 09:04 AM ---------- Previous post was at 08:57 AM ----------
j4nn said:
The main feature of magisk is that you should be able to "modify" system "systemlessly", i.e. without really writing to system or vendor partitions.
But I understand that the "alternative" use of this kernel, i.e. not planning to do FOTA at all, just using only the unlock hide feature restoring drm functionality and using root the old way (with real writes to system) may be liked.
For this, just use magisk manager main screen, in "Advanced Settings" unselect the "Preserve AVB 2.0/dm-verity" option and then use the "Magisk INSTALL" button, confirm install of Magisk-v*.zip, select "Patch Boot Image File", browse to sdcard where you put my kernel image and select it.
Magisk will repack the boot image disabling dm-verity in device tree blobs, noting where you can find patched_boot.img. Flash that and you should be good to go. This procedure is valid for all my pie kernel builds.
Click to expand...
Click to collapse
If I flash your patched Pie kernel via TWRP and flash Magisk right after, this should have the same effect as patching your kernel via the Magisk app, right?
@j4nn - "using root the old way (with real writes to system)" - will flashing Magisk via TWRP change this to system-less root?
sinkoo1979 said:
Thanks for the kernel but after flashing the kernel the phone don't go into doze (deep sleep). Any suggestions on this?
Click to expand...
Click to collapse
I have no idea. In my opinion, if you get such behaviour with my kernel, you will get exactly the same behaviour with stock kernel of the same version.
My kernel is compiled from sony's open source kernel package, with kernel config that's identical (except few comment lines) to the one compiled in stock kernel.
My kernel patch only fixes kernel command line that comes from bootloader and hijacks trust zone api to mask the bootloader status to appear as still locked to firmware's userspace.
These changes hardly could have any influence on power saving behaviour.
Please flash the same version stock kernel and test again for deep sleep.
Could not be that caused by some app you've installed?
SGH-i200 said:
If I flash your patched Pie kernel via TWRP and flash Magisk right after, this should have the same effect as patching your kernel via the Magisk app, right?
@j4nn - "using root the old way (with real writes to system)" - will flashing Magisk via TWRP change this to system-less root?
Click to expand...
Click to collapse
Most likely flashing magisk via twrp after flashing the patched pie kernel would disable verity too.
Using the image file - you have it under your control.
Flashing from twrp - some magisk scripting tries to detect if verity should be disabled or not.
Also a kernel image already containing magisk contains the setting of verity and encryption - not sure how that is used when flashing magisk again over it.
I tried it with my xz1c and verity was flipped from enabled to disabled - so the same effect (this time).
But as described, some detection is used, so the results might not always be the same.
j4nn said:
I have no idea. In my opinion, if you get such behaviour with my kernel, you will get exactly the same behaviour with stock kernel of the same version.
My kernel is compiled from sony's open source kernel package, with kernel config that's identical (except few comment lines) to the one compiled in stock kernel.
My kernel patch only fixes kernel command line that comes from bootloader and hijacks trust zone api to mask the bootloader status to appear as still locked to firmware's userspace.
These changes hardly could have any influence on power saving behaviour.
Please flash the same version stock kernel and test again for deep sleep.
Could not be that caused by some app you've installed?
reflashed stock firmware and everything is fine. Thanks for the kernel.
Click to expand...
Click to collapse
j4nn said:
Downloads
This is for alternative use only - please see post#10 for more details.
boot-G8341-47.1.A.16.20-hideunlock-rooted-noverity.img
boot-G8342-47.1.A.16.20-hideunlock-rooted-noverity.img
Screenshots of XZ1c FOTA system update from pie 47.2.A.4.45 to pie 47.2.A.6.30 version
(video available here since 08:10 time)
Click to expand...
Click to collapse
Hi j4nn
I unlocked my bootloader on 47.1.A.16.20 and lost my drm keys. I upgraded via newflasher_v13 to 47.2.A.4.45 Customised SG as that is where i am based and where my phone is from. Unfortunately when I flash boot-G8342-47.2.A.4.45-hideunlock-rooted.img my phone still boots up showing the device has been unlocked and the Backup and Restore feature of Xperia devices does not work. Am I correct to say if I lost my drm keys that I am unable to use this kernel to hide my bootloader unlock?
Thank you for answering me.
Working fine on xz1 pie 47.2.A.6.30 with blx firmware, Kernel flashed with twrp, widevine is L1 now, and Bravia engine working
@leonaheidern, the kernel would hide the unlocked bootloader regardless you lost drm keys or restored locked TA.
Please check you kernel build date when you boot your phone in about menu.
@j4nn, I have a quick question and a bit off topic, I'm still tinkering a bit but I did manage to backup my ta. and I flashed janjan's so things may seem a bit off, (see pic).. but I did restore my ta. before flashing Jan's kernel, any idea what may happen if I flashed yours on top?
oh and everything is working..
@lilbrat, I guess that the result would be the same if you flashed my kernel without flashing janjan's before it.
Just note please, my kernels as they are have verity enabled, so you need to have unmodified stock fw.
Or disable verity as hinted for alternative use.
With my kernel and restored TA your security screen would look perfect as with a still locked phone.
j4nn said:
@lilbrat, I guess that the result would be the same if you flashed my kernel without flashing janjan's before it.
Just note please, my kernels as they are have verity enabled, so you need to have unmodified stock fw.
Or disable verity as hinted for alternative use.
With my kernel and restored TA your security screen would look perfect as with a still locked phone.
Click to expand...
Click to collapse
OK.. thanks for the info... now I have another question, now that xz1 has a new update out and granted it will take you a bit to catch up if you need to redo all your kernels you have going... (great work by the way) Will I need to reflash my ta. backup for the new firmware and or just your kernel?
Dear specialists on the XDA,
Normally I ask no questions in order to save the precious time of people, however this time I have a problem which I fail to understand and cannot resolve using the documentation available on the internet.
I have committed extensive reading and know how to build software but am simply missing a link here.
Trying to boot a home build kernel on a oneplus7 pro device with no luck so far.
Here is the situation so far: I have after hours of headaches successfully built myself a kernel straight from the stock sources. No alterations just using the msm8150-perf.defconfig file and build successfully with clang 9.0.5. There are only a few warnings nothing serious and the dtb has many warnings but I get what I need. I have done this before for my oneplus 3 and indeed the kernel was working.
Assuming the kernel is in a functional state. I used the latest version of android image kitchen to unpack the boot image which I extracted (from the right active slot) and replaced the kernel file and repacked the boot.img successfully into a new image file.
No luck after trying to boot into the image using fastboot. Screen hangs forever. Bootloader is unlocked btw
So far I have tried:
1. Signing the boot image using boot signer
2. Unpack/repack using android image editor (which signs the image)
3. Repack using different kernel image files from xda which I expect to be good and working
4. Flash signed image straight into active slot.
5. Completely read through the anykernel1, 2 and 3 scripts to find answers.
No matter what I try. Kernel does not boot. Either the fastboot screen hangs forever or the system reboots back into its currently working active slot.
I have to add that this bootimage contains magisk.
I am out of ideas. Please help me out. I hope that you can point me into a good direction.